May 25 has come and gone; we are all very aware of the GDPR, the European Union’s new set of data privacy laws.
It might be tempting to think that because you’re in SA, these laws don’t affect you or your company, but the EU is serious about its citizens’ privacy and complacency would be a mistake.
South African organisations that fall within the ambit of the General Data Protection Regulation have a very real obligation to comply with the legislation.
The GDPR makes it a legal obligation to process personal information in a manner that does not infringe on a data subject’s privacy.
Apart from crippling sanctions for failure to do so, compliance can lead to many opportunities and EU investments for South African organisations.
If you haven’t already, it is highly recommended that you start your GDPR compliance exercise now.
The GDPR document is long and complex, consisting of 99 articles, but here are six key points to start with:
- The territorial scope is wide and compliance is mandatory if you process EU citizens’ data — it does not matter if you’re in South Africa or Antarctica, if you process EU data then you are subject to the GDPR.
- Clear, unambiguous consent is important.
- Data subjects must be given a clear, simply drafted privacy notice.
- GDPR provides for the right to be forgotten.
- Data subjects are entitled to have their data deleted, corrected and made available to them.
- Noncompliance and gross negligence can result in a fine of 4% of your global revenue.